Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11-03-2024 12:44
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20240226-en
General
-
Target
file.exe
-
Size
419KB
-
MD5
8a716466aa6f2d425ec09770626e8e54
-
SHA1
62fb757ea5098651331f91c1664db9fe46b21879
-
SHA256
585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815
-
SHA512
54f11067e400347834689b4532ae53b00ec96a3ca90a2c21de27942f4ca30306fdda0522c1a3a4cde047ad650162e2d8313205220acaab4cc60e010965690940
-
SSDEEP
6144:QTCsE3O4yuS5O0RBOInaCa6G6ypdf4Bf7e/DnjBeq04fVXOUvE0CGsSE9BLM:2E3O5uOO0mInnGZCTS84fZLtw
Malware Config
Extracted
xworm
5.0
5.182.87.154:7000
VMFidhoqn75fm5lJ
-
Install_directory
%Temp%
-
install_file
mdnsresp.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2224-10-0x0000000000400000-0x0000000000410000-memory.dmp family_xworm -
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
-
PureLog Stealer payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4476-6-0x0000000004E80000-0x0000000004EC8000-memory.dmp family_purelog_stealer -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exefile.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation file.exe -
Drops startup file 2 IoCs
Processes:
file.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mdnsresp.lnk file.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mdnsresp.lnk file.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 4476 set thread context of 2224 4476 file.exe file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exefile.exepid process 1420 powershell.exe 1420 powershell.exe 556 powershell.exe 556 powershell.exe 3496 powershell.exe 3496 powershell.exe 4456 powershell.exe 4456 powershell.exe 1992 powershell.exe 1992 powershell.exe 2224 file.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
file.exefile.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4476 file.exe Token: SeDebugPrivilege 2224 file.exe Token: SeDebugPrivilege 1420 powershell.exe Token: SeDebugPrivilege 556 powershell.exe Token: SeDebugPrivilege 3496 powershell.exe Token: SeDebugPrivilege 4456 powershell.exe Token: SeDebugPrivilege 1992 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
file.exepid process 2224 file.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
file.exefile.exedescription pid process target process PID 4476 wrote to memory of 1420 4476 file.exe powershell.exe PID 4476 wrote to memory of 1420 4476 file.exe powershell.exe PID 4476 wrote to memory of 1420 4476 file.exe powershell.exe PID 4476 wrote to memory of 2224 4476 file.exe file.exe PID 4476 wrote to memory of 2224 4476 file.exe file.exe PID 4476 wrote to memory of 2224 4476 file.exe file.exe PID 4476 wrote to memory of 2224 4476 file.exe file.exe PID 4476 wrote to memory of 2224 4476 file.exe file.exe PID 4476 wrote to memory of 2224 4476 file.exe file.exe PID 4476 wrote to memory of 2224 4476 file.exe file.exe PID 4476 wrote to memory of 2224 4476 file.exe file.exe PID 2224 wrote to memory of 556 2224 file.exe powershell.exe PID 2224 wrote to memory of 556 2224 file.exe powershell.exe PID 2224 wrote to memory of 556 2224 file.exe powershell.exe PID 2224 wrote to memory of 3496 2224 file.exe powershell.exe PID 2224 wrote to memory of 3496 2224 file.exe powershell.exe PID 2224 wrote to memory of 3496 2224 file.exe powershell.exe PID 2224 wrote to memory of 4456 2224 file.exe powershell.exe PID 2224 wrote to memory of 4456 2224 file.exe powershell.exe PID 2224 wrote to memory of 4456 2224 file.exe powershell.exe PID 2224 wrote to memory of 1992 2224 file.exe powershell.exe PID 2224 wrote to memory of 1992 2224 file.exe powershell.exe PID 2224 wrote to memory of 1992 2224 file.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAZgBpAGwAZQAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAZgBpAGwAZQAuAGUAeABlADsA2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420 -
C:\Users\Admin\AppData\Local\Temp\file.exeC:\Users\Admin\AppData\Local\Temp\file.exe2⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\file.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:556 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'file.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3496 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mdnsresp.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4456 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mdnsresp.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD51d29d89f4e75b09c0e0ebb36a241f372
SHA19171d5d4f837dd2ca01149e2c98c468ae57f3608
SHA256599a27d413252fc423b3f3f0790a900ed3dfcd77825945be64aa2d8a5ee22845
SHA51291860d429cab36532ddbfe7fad754351f14c3db2252f35cd08c3a8decae1d2ef1107413c2bda29e4e82f9d918a035e9adec50a285074595cf57b5f1c3934d0e8
-
Filesize
18KB
MD5362597b6f3a0e57a4cabe748234ca0ad
SHA13053689d00491d2e7f09ea7284b4976022ca4a26
SHA2562833ef07b0d1540609fd541e65a6d12c847e9ca23a7e57ec3c34c807370e5494
SHA51217e5c45e4fbc4d7fca118d997ce751161048f357e278b3b07f04e938b9d6583139cce7cb7f6167b88b3149cb56252f7f6270a13fdd4fc57ba7a75fde18302a8e
-
Filesize
18KB
MD5282bdf8d537b615b8ade03d242e87464
SHA18575757431e2353e40e5b27de3ca8783a06ecc41
SHA256e5f82161c5c36db6964d8c45ee555ddb223740956b5dd4fcc6f308024b3d4670
SHA5129d83cffa4ba088b6452b028ae467cdf82496067c479165810b9f9b4a98d9f06f0cbde056c1967058a9c6dbdcf9b8556c4d8c73b784f560f3e0fa412beb241957
-
Filesize
18KB
MD570d025eca7d79d96329801bedd6ae68f
SHA1119974d0fb11548b83876119ba72ae3b76a13847
SHA256d9692593a94ac13cd0c275b9d641f89ba309358feb5d6b97cb6e36bef3d30782
SHA512ceee0f49403e882f263dca94301795a8b8a21d670a4efd6d015462c669d568ac32bc30a9455ebf7befb39cd5cce21b4b63dbc94d1b19e4532caef502626e8ee0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82